WIXLIB

IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS)Vol. 1, No. 2, December 2011which are linked by a proprietary or standard technology thatprovides portability of data and applications among thecomposing clouds. An example of a Hybrid Cloud includesAmazon Web Services (AWS).Community Cloud: Infrastructure shared by severalorganizations for a shared cause and may be managed by themor a third party service provider and rarely offered cloud model.These clouds are normally based on an agreement betweenrelated business organizations such as banking or educationalorganizations. A cloud environment operating according to thismodel may exist locally or remotely. An example of aCommunity Cloud includes Facebook which is showing infigure 1.B. Cloud computing entitiesCloud providers and consumers are the two main entities in thebusiness market. But, service brokers and resellers are the twomore emerging service level entities in the Cloud world. Theseare discussed as followsCloud Providers: Includes Internet service providers,telecommunications companies, and large business processoutsourcers that provide either the media (Internet connections)or infrastructure (hosted data centers) that enable consumers toaccess cloud services. Service providers may also includesystems integrators that build and support data centers hostingprivate clouds and they offer different services (e.g., SaaS,PaaS, IaaS, and etc.) to the consumers, the service brokers orresellers [6].Cloud Service Brokers: Includes technology consultants,business professional service organizations, registered brokersand agents, and influencers that help guide consumers in theselection of cloud computing solutions. Service brokersconcentrate on the negotiation of the relationships betweenconsumers and providers without owning or managing thewhole Cloud infrastructure. Moreover, they add extra serviceson top of a Cloud provider’s infrastructure to make up theuser’s Cloud environment.Cloud Resellers: Resellers can become an important factor ofthe Cloud market when the Cloud providers will expand theirbusiness across continents. Cloud providers may choose localIT consultancy firms or resellers of their existing products toact as “resellers” for their Cloud-based products in a particularregion. Cloud Consumers: End users belong to the category ofCloud consumers. However, also Cloud service brokers andresellers can belong to this category as soon as they arecustomers of another Cloud provider, broker or reseller. In thenext section, key benefits of and possible threats and risks forCloud Computing are listed [7].III. CLOUD COMPUTING SECURITY ARCHITECTUREISSN: 2249-9555Security within cloud computing is an especially worrisomeissue because of the fact that the devices used to provideservices do not belong to the users themselves. The users haveno control of, nor any knowledge of, what could happen to theirdata. This is a great concern in cases when users have valuableand personal information stored in a cloud computing service.Users will not compromise their privacy so cloud computingservice providers must ensure that the customers’ informationis safe. This, however, is becoming increasingly challengingbecause as security developments are made, there always seemsto be someone to figure out a way to disable the security andtake advantage of user information. Some of the importantcomponents of Service Provider Layer are SLA Monitor,Metering, Accounting, Resource Provisioning, Scheduler&Dispatcher, Load Balancer, Advance Resource ReservationMonitor, and Policy Management. Some of the security issuesrelated to Service Provider Layer are Identity, Infrastructure,Privacy, Data transmission, People and Identity, Audit andCompliance, Cloud integrity and Binding Issues. Some of theimportant components of Virtual Machine Layer createsnumber of virtual machines and number of operating systemsand its monitoring. Some of the security issues related toVirtual Machine Layer are VM Sprawl, VM Escape,Infrastructure, Separation between Customers, Cloud legal andRegularity issues, Identity and Access management Some ofthe important components of Data Center (Infrastructure)Layer contains the Servers, CPU's, memory, and storage, and ishenceforth typically denoted as Infrastructure-as-a-Service(IaaS). Some of the security issues related to Data Center Layerare secure data at rest, Physical Security: Network and Server.Some organizations have been focusing on security issues inthe cloud computing. The Cloud Security Alliance is a nonprofit organization formed to promote the use of best practicesfor providing security assurance within Cloud Computing, andprovide education on the uses of Cloud Computing to helpsecure all other forms of computing. The Open SecurityArchitecture (OSA) is another organizations focusing onsecurity issues. They propose the OSA pattern, which pattern isan attempt to illustrate core cloud functions, the key roles foroversight and risk mitigation, collaboration across variousinternal organizations, and the controls that require additionalemphasis. For example, the Certification, Accreditation, andSecurity Assessments series increase in importance to ensureoversight and assurance given that the operations are being“outsourced” to another provider. System and ServicesAcquisition is crucial to ensure that acquisition of services ismanaged correctly. Contingency planning helps to ensure aclear understanding of how to respond in the event ofinterruptions to service delivery [8]. The Risk Assessmentcontrols are important to understand the risks associated withservices in a business context. National Institute of Standardand Technology (NIST), USA (http://www.nist.gov/) hasinitiated activities to promote standards for cloud computing[15]. To address the challenges and to enable cloud computing,several standards groups and industry consortia are developing138

IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS)Vol. 1, No. 2, December 2011specifications and test beds. Some of the existing standards andtest bed groups are Cloud Security Alliance (CSA), InternetEngineering Task Force (IETF), Storage Networking IndustryAssociation (SNIA) etc.On the other side, a cloud APIprovides either a functional interface or a management interface(or both). Cloud management has multiple aspects that can bestandardized for interoperability. Some possible standards areFederated security (e.g., identity) across clouds, Metadata anddata exchanges among clouds, Standardized outputs formonitoring, auditing, billing, reports and notification for cloudapplications and services, Cloud-independent representation forpolicies and governance etc., Figure 2 showing the high levelview of the cloud computing security architecture.Figure 2. High Level Security Architecture of Cloud ComputingIV. KEY SECURITY ISSUES IN CLOUD COMPUTINGCloud computing consists of applications, platforms andinfrastructure segments. Each segment performs differentoperations and offers different products for businesses andindividuals around the world. The business applicationincludes Software as a Service (SaaS), Utility Computing,Web Services, Platform as a Service (PaaS), Managed ServiceProviders (MSP), Service Commerce and Internet Integration.There are numerous security issues for cloud computing as itencompasses many technologies including networks,databases, operating systems, virtualization, resourcescheduling, transaction management, load balancing,concurrency control and memory management. Therefore,security issues for many of these systems and technologies areapplicable to cloud computing. For example, the network thatinterconnects the systems in a cloud has to be secure andmapping the virtual machines to the physical machines has tobe carried out securely. Data security involves encrypting thedata as well as ensuring that appropriate policies are enforcedfor data sharing. The given below are the various securityconcerns in a cloud computing environment. Access to Servers & ApplicationsISSN: 2249-9555 Data TransmissionVirtual Machine SecurityNetwork SecurityData SecurityData PrivacyData IntegrityData LocationData AvailabilityData SegregationSecurity Policy and CompliancePatch managementAccess to Servers & Applications: In traditional datacenters,administrative access to servers is controlled and restricted todirect or on-premise connections which is not the case of clouddata centers. In cloud computing administrative access must beconducted via the Internet, increasing exposure and risk. It isextremely important to restrict administrative access to data andmonitor this access to maintain visibility of changes in systemcontrol. Data access issue is mainly related to security policiesprovided to the users while accessing the data. In a typicalscenario, a small business organization can use a cloudprovided by some other provider for carrying out its businessprocesses. Some organization will have its own securitypolicies based on which each employee can have access to aparticular set of data. The security policies may entitle someconsiderations wherein some of the employees are not givenaccess to certain amount of data. These security policies mustbe adhered by the cloud to avoid intrusion of data byunauthorized users [9].Most companies are storing their employee information insome type of Lightweight Directory Access Protocol (LDAP)servers. In the case of SMB companies, a segment that has thehighest cloud application adoption rate, Active Directory (AD)seems to be the most popular tool for managing users. Withcloud application, the software is hosted outside of thecorporate firewall. Many times user credentials are stored in thecloud application providers databases and not as part of thecorporate IT infrastructure. This means SaaS customers mustremember to remove/disable accounts as employees leave thecompany and create/enable accounts as come onboard. Inessence, having multiple cloud application products willincrease IT management overhead. For example, cloudapplication providers can provide delegate the authenticationprocess to the customer’s internal LDAP/AD server, so thatcompanies can retain control over the management of users.Large enterprises, the management of user’s account as theadoption of single sign on (SSO) or each employee will bedispatched some different accounts to access different systems.Thus, multi-authentication for each employee might be veryoften to be confronted in an enterprise. Those accounts thatcome along with each individuals might be the same ordifferent. Therefore, how could the administrator well managethose user’s identification accounts and the corresponding139

IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS)Vol. 1, No. 2, December 2011passwords or achieve the state of SSO is another importantissue. Nevertheless, the application of SSO for identificationand authentication does have serious information security risk.In addition, the management of authorized access privilege isalso a critical key point [10].administrator on host and guest operating systems. CurrentVMMs (Virtual Machine Monitor) do not offer perfectisolation. Virtual machine monitor should be ‘root secure’,meaning that no privilege within the virtualized guestenvironment permits interference with the host system.Data Transmission: Encryption techniques are used for data intransmission. To provide the protection for data only goeswhere the customer wants it to go by using authentication andintegrity and is not modified in transmission. SSL/TLSprotocols are used here. In Cloud environment most of the datais not encrypted in the processing time. But to process data, forany application that data must be unencrypted. In a fullyhomomorphism encryption scheme advance in cryptography,which allows data to be processed without being decrypted. Toprovide the confidentiality and integrity of data-in-transmissionto and from cloud provider by using access controls likeauthorization, authentication, auditing for using resources, andensure the availability of the Internet-facing resources at cloudprovider. Man-in-the-middle attacks is cryptographic attack iscarried out when an attacker can place themselves in thecommunication’s path between the users. Here, there is thepossibility that they can interrupt and change communications.Network Security: Networks are classified into many types likeshared and non-shared, public or private, small area or largearea networks and each of them have a number of securitythreats to deal with. Problems associated with the network levelsecurity comprise of DNS attacks, Sniffer attacks, issue ofreused IP address, etc which are explained in details as follows.Virtual Machine Security: Virtualization is one of the maincomponents of a cloud. Virtual machines are dynamic i.e it canquickly be reverted to previous instances, paused and restarted,relatively easily. Ensuring that different instances running onthe same physical machine are isolated from each other is amajor task of virtualization. They can also be readily clonedand seamlessly moved between physical servers. This dynamicnature and potential for VM sprawl makes it difficult to achieveand maintain consistent security. Vulnerabilities orconfiguration errors may be unknowingly propagated. Also, itis difficult to maintain an auditable record of the security stateof a virtual machine at any given point in time. FullVirtualization and Para Virtualization are two kinds ofvirtualization in a cloud computing paradigm. In fullvirtualization, entire hardware architecture is replicatedvirtually. However, in para-virtualization, an operating systemis modified so that it can be run concurrently with otheroperating systems. VMM (Virtual Machine Monitor), is asoftware layer that abstracts the physical resources used by themultiple virtual machines. The VMM provides a virtualprocessor and other virtualized versions of system devices suchas I/O devices, storage, memory, etc. Many bugs have beenfound in all popular VMMs that allow escaping from Virtualmachine. Vulnerability in Microsoft Virtual PC and MicrosoftVirtual Server could allow a guest operating system user to runcode on the host or another guest operating system.Vulnerability was found in VMware’s shared foldersmechanism that grants users of a guest system read and writeaccess to any portion of the host’s file system including thesystem folder and other security-sensitive files. Vulnerability inXen can be exploited by “root” users of a guest domain toexecute arbitrary commands. The other issue is the control ofISSN: 2249-9555A Domain Name Server (DNS) server performs the translationof a domain name to an IP address. Since the domain names aremuch easier to remember. Hence, the DNS servers are needed.But there are cases when having called the server by name, theuser has been routed to some other evil cloud instead of the onehe asked for and hence using IP address is not always feasible.Although using DNS security measures like: Domain NameSystem Security Extensions (DNSSEC) reduces the effects ofDNS threats but still there are cases when these securitymeasures prove to be inadequate when the path between asender and a receiver gets rerouted through some evilconnection. It may happen that even after all the DNS securitymeasures are taken, still the route selected between the senderand receiver cause security problems.Sniffer attacks are launched by applications that can capturepackets flowing in a network and if the data that is beingtransferred through these packets is not encrypted, it can beread and there are chances that vital information flowing acrossthe network can be traced or captured. A sniffer program,through the NIC (Network Interface Card) ensures that thedata/traffic linked to other systems on the network also getsrecorded. It can be achieved by placing the NIC in promiscuousmode and in promiscuous mode it can track all data, flowing onthe same network. A malicious sniffing detection platformbased on ARP (address resolution protocol) and RTT (roundtrip time) can be used to detect a sniffing system running on anetwork [11].Reused IP address issue have been a big network securityconcern. When a particular user moves out of a network thenthe IP-address associated with him (earlier) is assigned to a newuser. This sometimes risks the security of the new user as thereis a certain time lag between the change of an IP address inDNS and the clearing of that address in DNS caches. Andhence, we can say that sometimes though the old IP address isbeing assigned to a new user still the chances of accessing thedata by some other user is not negligible as the address stillexists in the DNS cache and the data belonging to a particularuser may become accessible to some other user violating theprivacy of the original user [12].140

IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS)Vol. 1, No. 2, December 2011Data security: For general user, it is quite easy to find thepossible storage on the side that offers the service of cloudcomputing. To achieve the service of cloud computing, themost common utilized communication protocol is HypertextTransfer Protocol (HTTP). In order to assure the informationsecurity and data integrity, Hypertext Transfer Protocol Secure(HTTPS) and Secure Shell (SSH) are the most commonadoption. In a traditional on-premise application deploymentmodel, the sensitive data of each enterprise continues to residewithin the enterprise boundary and is subject to its physical,logical and personnel security and access control policies.However, in cloud computing, the enterprise data is storedoutside the enterprise boundary, at the Service provider end.Consequently, the service provider must adopt additionalsecurity checks to ensure data security and prevent breachesdue to security vulnerabilities in the application or throughmalicious employees. This involves the use of strongencryption techniques for data security and fine-grainedauthorization to control access to data. Cloud service providerssuch as Amazon, the Elastic Compute Cloud (EC2)administrators do not have access to customer instances andcannot log into the Guest OS. EC2 Administrators with abusiness need are required to use their individualcryptographically strong Secure Shell (SSH) keys to gainaccess to a host. All such accesses are logged and routinelyaudited. While the data at rest in Simple Storage Service (S3) isnot encrypted by default, users can encrypt their data before itis uploaded to Amazon S3, so that it is not accessed ortampered with by any unauthorized party [13].Data Privacy: The data privacy is also one of the key concernsfor Cloud computing. A privacy steering committee should alsobe created to help make decisions related to data privacy.Requirement: This will ensure that your organization isprepared to meet the data privacy demands of its customers andregulators. Data in the cloud is usually globally distributedwhich raises concerns about jurisdiction, data exposure andprivacy. Organizations stand a risk of not complying withgovernment policies as would be explained further while thecloud vendors who expose sensitive information risk legalliability. Virtual co-tenancy of sensitive and non-sensitive dataon the same host also carries its own potential risks [14].Data Integrity: Data corruption can happen at any level ofstorage and with any type of media, So Integrity monitoring isessential in cloud storage which is critical for any data center.Data integrity is easily achieved in a standalone system with asingle database. Data integrity in such a system is maintainedvia database constraints and transactions. Transaction

research challenges also there for adopting cloud computing such as well managed service level agreement (SLA), privacy, interoperability and reliability. This research paper outlines what cloud computing is, the various cloud models and the main security risks and issues that are currently present within the cloud computing industry.